DescriptionThis article describes FortiGate administrative access security best practices.
For security reasons you may opt to change the administrative lockout duration to a higher value (listed in seconds) or change the lockout threshold to a lower value (attempts).
SolutionFor example, if the lockout threshold is changed to 1, with a lockout duration of 120 seconds, then if someone entered an incorrect user name and password once they would have to wait 120 seconds before they could attempt to enter again the user name and password.
From the CLI, type:
FGT# config system global
FGT(global)# set admin-lockout-duration 60 (in seconds)
FGT(global)# set admin-lockout-threshold 3 (this value may be 2, 5 or any other value)
FGT# end
Other security considerations
It is best practice to only allow external access to the device when needed (System > Network). If this access must be kept "open", then if possible assign trusted hosts (System > Admin) to the account so that only users coming from those specific IP's can access. If you are unable to do either of the last two, you may opt to change the default port for access to a non-standard port (port scanners usually do not scan high value ports) to help secure the device (System > Admin > Settings).
Summary
1) Only allow access on external interface when needed
2) When enabling remote access, configure access with trusted hosts
3) Change the default administrative port to a non-standard port
4) Modify lockout duration and threshold values (if required) Related Articles
Configuring Administrator access to a FortiGate unit using Trusted Hosts
